Bug#401311: Patch for this bug

[Andreas Barth]

tags 401311 + patch
thanks

Hi,

I extracted the patch for this RC-bug - if you want, I can as well NMU
it.


Cheers,
Andi

diff -ur gstreamer0.10-ffmpeg-0.10.1~/debian/changelog gstreamer0.10-ffmpeg-0.10.1/debian/changelog
--- gstreamer0.10-ffmpeg-0.10.1~/debian/changelog	2006-12-05 22:10:22.000000000 +0000
+++ gstreamer0.10-ffmpeg-0.10.1/debian/changelog	2006-12-05 22:13:15.000000000 +0000
@@ -1,3 +1,10 @@
+gstreamer0.10-ffmpeg (0.10.1-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix buffer overflow in 4XM code (CVE-2006-4800). Closes: #401311
+
+ -- Andreas Barth <aba at not.so.argh.org>  Tue,  5 Dec 2006 22:12:38 +0000
+
 gstreamer0.10-ffmpeg (0.10.1-2) unstable; urgency=low
 
   [ Loic Minier ]
diff -ur gstreamer0.10-ffmpeg-0.10.1~/gst-libs/ext/ffmpeg/libavcodec/4xm.c gstreamer0.10-ffmpeg-0.10.1/gst-libs/ext/ffmpeg/libavcodec/4xm.c
--- gstreamer0.10-ffmpeg-0.10.1~/gst-libs/ext/ffmpeg/libavcodec/4xm.c	2006-03-28 18:43:58.000000000 +0000
+++ gstreamer0.10-ffmpeg-0.10.1/gst-libs/ext/ffmpeg/libavcodec/4xm.c	2006-12-05 22:15:13.000000000 +0000
@@ -606,7 +606,7 @@
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@
         cfrm= &f->cfrm[i];
 
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
 
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
-- 
  http://home.arcor.de/andreas-barth/